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REMARKS/ARGUMENTS 

In the Final Office Action, the Examiner objected to the Abstract as being more ±an the 
recommended 50 to 150 words in length. Although the correspondence filed on January 5> 2005 
included amendments to the Abstract, the present Final Office Action indicates that an Abstract 
on a separate sheet is required. As noted above» an Appendix including an amended Abstract is 
attached after sheet 19 of this paper. The amendments incorporated into the enclosed Abstract 
are the same as those originally presented in the correspondence of January 5, 2005. For 
completeness, tliose amendments have also been included in the preceding ^'Amendments to the 
SpeciFication" section. 

It is believed that the amended Abstract is within the recommended length of 50 to 150 
words, and accordingly will be acceptable to the Examiner. 

Regarding the rejection of claims 8, 9, 28 and 29 under 35 U.S.C. 1 12^ second paragraph, 
as being indefinite, claims 8, 28 and 29 have been amended to remove references to X.500, and 
claim 9 has been cancelled. Therefore, none of the claims in the preceding listing of claims refer 
to X.500. It is thus respectfully submitted that all of the claims now comply with 35 U^S.C. 1 1 2, 
second paragraph, and that the claim rejections under this paragraph should be reconsidered and 
withdrawn. Since the rejection of claims 8, 28, and 29 has been traversed, these claims are 
believed to be allowable. 

It appears &om the Final OfQcc Action Summary and paragraph 7 on page 3 of the Final 
Office Action that the Examiner intended to maintain the rejection of all of the former claims 1 
to 55. It is noted, however, that claims 12, 31, 43 and 52 have not been rejected. These claims 
had been rejected under 35 U.S.C. 1 12, second paragraph, in the previous Office Action dated 
March 22, 2007, In response to that Office Action, the claims were amended to delete the 
allegedly indefinite phrase "from time to time*', so as to fully address the rejection. Since that 
rejection has not been maintained in the Final Office Action, and the Final Office Action does 
not include a new rejection of those claims, it is believed that at least claims 1 2, 3 1 , 43 and 52 
are also allowable. 
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The remaining claims 1 to 7, 10, 1 1, 13 to 27, 30, 32 to 42, 44 to 51 and 53 to 55 remain 
rejected under 35 U.S.C. 1 03(a) as being unpatentable over U,S* Patent No. 6,725,240 
(hereinafter "Asad**) in view of "S/MIME Version 3 Certificate Handling" (hereinafter 
"Ramsdell") and in view of **UniCERT| Policy Support: Operational Controls" (hereinafter 
"UniCERT'), As discussed in detail below, the Applicants maintain that the rejected claims arc 
not obvious in view of the combined teachings of the cited references. 

The arguments submitted on July 19, 2007 in response to the previous Oflice Action, m 
which Ihe same references were cited, are discussed on pages 2 and 3 of the Final Office Action. 

The Examiner notes on page 2 of the Final Office Action that one cannot show 
nonobviousness by attacking references individually where the rejections are based on 
combinations of references. Although the references were to some extent discussed individually 
in the correspondence filed on July 19, 2007 in response to the previous Office Action, this 
appeared to be the most logical manner of presenting those arguments. It was the Applicants'" 
intention to show that certain claimed features were absent from each of the references, and 
accordingly those features were also absent from the combination of references. It stands to 
reason that if none of the cited references teach certain claimed features, then those features 
cannot possibly be disclosed in a combination of the references. 

In any case, the Applicants have made diligent effort to present the arguments below in 
respect of the combined teachings of the cited references. 

According to the Final Office Action, Asad teaches an apparatus and method for 
protecting against data tampering in an audit subsystem and for creating and verifying audit logs 
in a relational database without compromising the ability to detect data tampering in a data 
processing system. Ramsdell suggests setting up a certificate database which in its simplest form 
would be local to a user and would function in a similar way as an address book. Contact 
information in Ramsdell may be in the form of the alternative name extension used in S/MIMB 
as the preferred means to convey RFC-822 e-mail addresses that correspond to the entity for a 
certificate. In the paragraph entitled "Certificate Rollover"' on page 2 of UniCERT, it is 
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Stated that the subject of a certificate should be informed when the certificate reaches the end of 
its validiTy, and should then appiy for a new certificate. 

It appears as though the Examiner is asserting that the audit system disclosed in Asad, 
when combined with the teachings of a certificate database and certificate rollover in Ramsdell 
and UniCERT, render the claimed invention obvious. Although such a combination might 
provide an audit system, a certificate database, and a mechanism for informing a message 
receiver or a certificate subject in the event of a problem with a certificate, the present claims 
include other features that would not be obvious from such combined teachings. 

Considering first claim 1, this claim clearly recites maintaining a record-user mapping 
which associates with each of a plurality of record identifiers a respective one or more user 
names. In respect of this feature, paragraph 5 on page 3 of the Final Office Action refers to 
"maintaining the user name-addressable entity mapping firom each user name to the respective 
addressable entity (See Ramsdell, page 5, Section 3)". This section of Ramsdell refers to various 
names and addresses that may be provided in certificates, but provides no disclosure whatsoever 
as to mapping record identifiers to user names. 

Therefore, a combination of the cited references might incl ude some sort o f an audit 
system and a certificate database, which combination on its face might appear to be similar to the 
subject matter defined in claim 1 , However, such a combination of the references would lack at 
least the claimed record-user mapping. This distinction might be most easily illustrated with 
reference to Figxire 1 of the present application. 

This figure shows a PKI server 10, which includes an audit record repository 14 and 
interacts with^ among other elements, a remote notification tool 18 and a published certificate 
repository 1 2. It is suspected that the Examiner's position on obviousness is based primarily on 
the alleged disclosure of several pieces of this system in the cited references. As noted above, 
combining the teachings of the cited references might provide some sort of system in which an 
audit system, a certificate database, and an informing mechanism are implemented. 
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Of particular note in l^igure 1 is the element 24, the audit record-user mappings. As 
shown, and also as recited in claim 1, a record-user mapping associates with each of a plurality of 
record idcntificyrs a respective one or more user name$» The user names in the audit record-user 
mappings 24 are used by the remote notification tool 1 8 to obtain a respective addressable entity 
from the published certificate repository 12 for sending a notification of a record. This link 
between audit records and user names is entirely missing from the combined teachings of the 
cited references. 

It is apparent from the Final Office Action as well as the previous Office Action that the 
certificate database disclosed in Ramsdell, and in particular the certificates that may be stored in 
such a database, are being inteipreted by the Examiner as a form of user name-addressable entity 
mapping. From the foregoing discussion of claim 1 with reference to Figure 1 of the present 
application, it should now be clear that the method of claim 1 includes two diflFerent types of 
mappings. Even if one were to consider certificates tliat may be provided in a system which 
combines the teachingsS of all three of the cited references as being a form of user name- 
addressable entity mapping, the combined teachings would still lack any sort of record-user 
mapping, as clearly recited in claim L 

In summary, claim 1 recites a method in which a record-user mapping specifies one or 
more user names associated with each of a plurality of record identifiers. For a record upon 
which remote notification is to be performed, the one or more user names associated with the 
record identifier of that record is obtained from the record-user mapping, and for each name, an 
addressable entity is obtained from a user name-addressable entity mapping. ITie claimed 
method involves not only obtaining an addressable entity for each user name, but also 
determining the particular user names for which remote notification of a record is to be 
generated. The combined teachings of the cited references lack any mechanism whatsoever for 
associating records with user names. 

It is further respectfully submitted that remote notification as defined in claim 1 also 
would not be obvious from the combined teachings of the cited references. The references 
disclose, at most, informing an end user of a processing failure (see page 10 of Ramsdell) and 
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informing the subject of a certificate that the certificate has expired (see page 2 of UniCERT). A 
person skilled in the art to which the present application pertains, however, would appreciate that 
informing a user of a problem with a certificate, as proposed in Ramsdell, 15 not at all analogous 
to remote notification as claimed* When a user receives a message and an attached certificate, 
for example, the certi ficate is processed and a determination is made as to whether the certificate 
is actually valid and is associated with the message with which it was received. In the event that 
a certificate is not valid or is not associated with the message, an error or other indication is 
provided to the receiving user. When a certificate is being used to generate a message to be sent 
to the subject of a certificate, an error or other indication would similarly be provided, locally, to 
the user of the certificate, and not to the actual holder of the certificate. 

In the proverbial example of "Alice" and "Bob", if a problem with Bob's certificate is 
detected when Alice is processing a secure message that is received firom or is to be transmitted 
to Bob, an error or other indication is provided only locally to Alice. Bob is not typically notified 
of the problem with his certificate. 

In the context of certificate rollover, the subject of a certificate might be informed when 
the certificate has expired. Such expiry affects the certificate itself Thus, when a certificate 
expires, the subject of that certificate. Bob in the above example, might be informed. 

The present claimed invention provides a much more generic remote notification 
mechanism. An audit record can be associated with any user names. These user names are then 
used to obtain addressable entities for remote notification. The combined teachings of the cited 
references may provide for a local error indication in the event of a certificate processing failure 
or informing the subject of a certificate of expiry of the certificate itself. The local indication of 
a processing failure cannot be reasonably interpreted as a form of remote notification, and 
informing a certificate subject of expiry of the certificate does not contemplate the claimed 
notion of identifying addressable entities for remote notification based on a record-user mapping. 

Claim 1 is thus patentable over the combination of Asad, Ramsdell, and UniCERT for at 
least these reasons. 
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Claims 2 to 8 and 10 to 19 depend from claim 1 and are patentable over the cited 
references for at least the same reasons as claim 1 . 

Independent claim 37 is an apparatus counterpart to the method claim 1, and recites. 
Inter alia, a record-user mapping memory structure which associates for each of a plurality of 
record identifiers a respective one or more user names, and a record processing entity adapted to 
obtain one or more user names for the record identifier of a record from the record-user mapping, 
and to obtain for each user name a respective addressable entity from a user name-addressable 
entity mapping, A notification of a record h sent to the addressable entity through a notification 
interface. 

Independent claim 37 thus patentably distinguishes over the combination of the cited 
references for similar reasons as claim 1 , At least the claimed record-user mapping memory 
structure and the remote notification mechanism implemented using that memory structure and 
the claimed record processing entity would not be obvious from the combined teachings of the 
cited references. 

Claims 38 to 45 depend from claim 37 and are patentable for at least similar reasons. 

Considering now independent claim 20, this claim refers to identifying at least one record 
identifier for which target record processing is to be performed. For a record identifier for which 
target record processing is to be performed, a target user name that identifies a user name which 
was a target of an operation which resulted in the record is read from an associated record, a 
respective addressable entity for the target user name is obtained from a user name-addressable 
entity mapping, and a notification of the record is sent to the addressable entity. 

According to the combined teachings of the cited references, an audit client from which 
an event is received is notified of any of various failures during audit record creation, Tliis is 
disclosed, for example, in column 8, line 53 to column 9, line 27 of Asad. Thus, the audit client 
that reports an event is notified if a failure occurs during creation of an audit record for that 
event. It would be readily apparent to any person skilled in the art to which the present 
application pertains that on audit client that reports an event is not the target of an operation 
which resulted in a record, as recited in claim 20, 
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If one were to suppose that, in a system that combines the teachings of the cited 
references, an audit client reports an event that affects a certificate stored in a certificate database^ 
then that audit client, and not the subject of the certificate, would be notified of a failure during 
creation of an audit record for that event. The cited references provide no suggestion or 
teachings whatsoever as to any other notification relating to an audit record, 

*f hcreforc^ at least the features of reading from an associated record a target user name 
which identifies a user name which was a target of an operation which resulted in the record, 
obtaining an addressable entity for the target user name from a user narne-addressable entity 
mapping, and sending a notification of the record to the addressable entity patentably distinguish 
claim 20 over the cited references. Claims 21 to 36 depend from claim 20 and are patentable 
over the cited references for at least the same reasons. 

Independent claim 46 is an apparatus counterpart of the method claim 20, and accordingly 
claim 46 and its dependent claims 47 to 52 are patentable over the cited references for similar 
reasons as claim 20. 

Finally, claims 53 to 55 depend from preceding claims and are patentable over the cited 
references for at least the same reasons as the claims from which they depend. 

It is thus respectfidly submitted that all of the claims remaining in tlie application are 
patentable over the cited references. Reconsideration and withdrawal of the claim rejections 
under 35 U.S.C. 103(a) are respectfully requested. 

The Applicants note that the rejection of claims 8, 28, and 29 and the rejection of 
claims 1 2, 3 1 , 43 and 52 have been traversed, and at least these claims should be allowed. The 
remaining claims are also allowable over the cited references, as discussed in detail above, 

The present amendments and arguments are intended to place the application into 
allowable form, and tliereforc entry and consideration thereof are respectfully requested. 
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It is further noted that the claims originally presented in this application were at one point 
considered to be allowable. The Applicants respectfully submit that this was the correct finding 
in respect of this application, and that the claims remain allowable over all references of record. 

In the event that any further issues remain to be resolved in order to place the application 
into allowable form, the Examiner is invited to contact the undersigned by telephone, so as to 
most quickly resolve such issues. 



Respectfully submitted. 




R, Allan Brett 
Reg, No. 40,476 
Tel.: (613)232-2486 



Date: December 3, 2007 



DMW/RAB/lsj 
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